From segregation to integration - The strategic path to IT/OT convergence

Guest blog by Nathan Tittensor, Director at tmc3 Limited #techUKOTSecurity

Over the past decade, it's clear that the convergence of Information Technology (IT) and Operational Technology (OT) systems has been increasingly recognised for its potential to enhance efficiency, innovation, and competitiveness across various industries. However, this blending of digital and physical infrastructures also introduces significant risks that must be carefully managed. Organisations aiming to leverage IT/OT convergence effectively must understand that this is as much of ‘culture programme’ as it is a ‘technology project’.

Understanding IT/OT Convergence

While IT apps are almost always standardised across the enterprise, OT solutions rarely are. Most organisations use a multitude of vendors and versions—sometimes even within a single site. This layer of complexity is exacerbated when you think about that most OT systems were designed to be air gapped and never connected to any IT systems.

Securing OT poses various challenges, encompassing technical hurdles like outdated and remote solutions, operational complexities in determining IT and OT team responsibilities, and people constraints such as a scarcity of skilled professionals. Nonetheless, as the digital landscape evolves, industrial organisations are advancing in safeguarding the OT/IT convergence by following three fundamental principles:

Improving the technological infrastructure. Enhancing security by conducting a baselining exercise and implementing appropriate access controls and standardised measures using new cutting-edge technology.
Defining clear roles and responsibilities for both OT and IT teams.
Enhancing awareness of risks and fostering a proactive mindset through incentivising the right behaviours.

Key factors to succeed with OT/IT Convergence

Navigating the complexities of this convergence requires a strategic blend of culture change, technologies, processes, and organisational capabilities. Through our collaboration with Defence, Civil Nuclear and Central Government Departments, we see three pivotal factors for bringing OT and IT closer together within an organisation. These factors revolve around the core principles of technological infrastructure, building clear governance in operations, and cultivating a cyber-aware culture and mindset.

Baselining technological foundations

Designing OT environments with security in mind, ensuring proper access and standardised controls, is crucial for mitigating risks based on asset criticality. OT systems historically operated in isolation, limiting their exposure to cyber threats. Integrating these systems with IT networks expands the attack surface, making critical infrastructure more susceptible to cyber attacks that could disrupt operations, compromise safety, or lead to significant financial losses.

Segregating OT networks from others and within themselves to address the growing need for secure integration between IT and OT systems. Implementing security controls, such as designing a secure network architecture for industrial plants and utilising strict configurations such as firewalls, is essential. Configuring security solutions effectively is key. While implementing security controls and updates is important, proper configuration, management, and administration play a crucial role in ensuring effective security measures.

Operations and Governance

The integration of IT and OT systems introduces complexity in management, requiring new governance models to ensure both efficiency and security. Organisations must navigate challenges related to standards, protocols, and interoperability between systems that were not originally designed to interact. Implementing standardised security governance is essential to align IT, OT, and external partners for swift responses to cyber threats and to prevent disruptions that can impact operations.

Establishing governance and collaboration between OT and IT teams clarifies ownership and roles in safeguarding assets and systems. It is crucial to define clear responsibilities for devices like smart meters and digital twins and also systems and networks.

Implementing governance frameworks that accommodate the complexities of integrated systems. Variations in sites, OEMs, and devices can hinder the standardisation of OT processes like network architecture and firewall rules. Establishing uniform standards for architecture and controls facilitates the implementation of integrated cyber security initiatives.

Adopting risk-based operational strategies - different OT and IT systems/assets have varying levels of criticality for business continuity and safety. Identifying the value and criticality of each asset through Business Impact Assessment and Critical Assets Registers, enables organisations to prioritise business and plant continuity while maintaining cyber security measures.

Elevating cyber-aware capabilities and mindsets

Effective IT/OT integration requires a workforce that understands both domains. Providing the right initiatives is crucial in ensuring that stakeholders (IT, OT, and business teams) are well-informed about cyber risks and possess the expertise to proactively identify and mitigate threats.

Upskilling or hiring – new OT-IT roles demand a deep understanding of interoperability, specific systems and cyber security, a rare combination to come by. By bolstering internal upskilling initiatives and offering attractive packages, organisations can attract and nurture the necessary hybrid skills needed to fulfil these roles.

Supplier management - due to the intricate nature of OT systems and ubiquitous nature of IT systems, organisations often have a wide array of vendors, posing challenges in cyber security safeguarding. Establishing mechanisms to assure/manage vendors and establish key performance indicators (KPIs) for their services is key to streamlining operations and enhancing accountability, particularly in scenarios of disaster recovery.

Instilling a culture of cyber security awareness. Cyber security transcends both OT and IT, extending into the fabric of CNI operations. Recognising that cyber security is everyone’s responsibility, enhancing training programmes across organisation, IT, and OT stakeholders plays a pivotal role in heightening awareness of cyber threats and effective mitigation strategies.

Closing thoughts

Achieving successful integration of IT and OT is a complex journey that demands continuous dedication, collaborative efforts, and a forward-looking approach. By prioritising the people, change and education aspects of the journey, organisations are well placed to protect their operations while seizing the opportunities that arise from the convergence of IT and OT. This smooths the path for an operating model where the digital and physical worlds seamlessly merge, benefiting all stakeholders involved.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more